Kurtosys offers ironclad security at all layers of our technology stack, underpinned by ISO 27001 certification.
Security is present in all we do at Kurtosys – it is embedded into our platform, our organization and our employees.
ISO 27001 certification (Information Security Management) underpins our commitment at the highest level to security for our global customer base. We partner with a range of technology vendors to ensure we can mitigate cyber threats, and strive to keep educating our customers to increase awareness to the growing number of threats.
How can customers verify Kurtosys’s security posture?
Three key indicators:
- We have a full-time Security Officer and several trained and qualified staff supporting this role. Our Security Officer will answer your questions and provide any further details required by your IT and compliance teams.
- We have implemented ISO 27001 in full, and have certification for each of our three offices.
- We have an information security pack describing different aspects of our security at every layer of our technology stack.
How secure is your hosting? Have you had any security breaches?
Kurtosys has been hosting customer applications and websites for over 17 years without any data or data center breaches or DR events. We host our platform using cloud technologies to take advantage of the security protocols, resilience and robust service features provided by these platforms. Among the services that protect and monitor our hosted platform are CloudFlare, AWS CloudWatch and Alert Logic. We also run monthly vulnerability scans on our production environments, and conduct an annual penetration test.
How will my data be protected? What regulations apply?
Although most of our customer data does not contain PII (personally identifiable information), we treat all customer data as confidential. Unless specifically authorized, all data remains within the closed systems of our data center. Access to this data is restricted to authorized individuals and recorded with a full audit trail. We respect the jurisdiction of customer data by offering our services in data centers within different areas of regulation, e.g. EU, US, UK, etc. We subscribe to a number of data privacy laws: GDPR (General Data Protection Regulation) and Massachusetts Privacy Law, and are registered with the ICO, the UK’s data protection authority. Although we no longer ship data between jurisdictions, we are also still registered with the US-EU Privacy Shield Framework.
What is Kurtosys’s service record and how will you deal with incidents?
Our support promise to you is to provide 99.8%, 24×7 availability and uptime. We aim to minimise disruption and outages related to operational or maintenance issues. Typically, all deployment and patching is done without service downtime. In the event of any outages due to operational or security issues, we have an incident management process that includes reporting, RCA (root cause analysis) and remediation.
Do you have a business continuity and disaster recovery plan?
Our business continuity plan ensures that we are able to cope with a wide range of technological disruption, environmental disaster and asset loss. Incorporated in this, we have a disaster recovery plan which provides for a total loss of any data center, and includes procedures for data backups and transfer to/availability in recovery locations. Such backup augments our availability in case of disaster, and facilitates recovery from any data corruption.
Do you plan and train for a cybersecurity incident?
We have a security incident response plan which includes procedures for different security incidents and classifications. We actively engage in training and security incident handling exercises for confirmation of the plan and employee training. The whole organisation undergoes security awareness training and we are regularly briefed on global issues and trends.
How do you monitor your third-party service providers?
We have a vendor risk assessment program that quantifies the importance of vendors to our processes. Critical vendors and systems supplied by them are closely monitored with an onboarding evaluation and regular monthly review process. We do not allow third parties and contractors access to any customer hosting environments.
If you require any additional information about our security protocol, please contact us for a copy of our Information Security Pack.